Just 5 minutes to understand what is IDS? IDS VS IPS and Firewall

Just 5 minutes to understand what is IDS? IDS VS IPS and Firewall Picture 1

According to research, network systems are hacked, data is lost, downtime is interrupted, . All are nightmares for network administrators and security staff. That is the reason why IDS systems were born. However, not everyone understands specifically what IDS is. This article will help you grasp the basic knowledge related to IDS.

What is IDS?

There are many different IDS products on the market today. Therefore, you need to clearly understand the concept of IDS, the types of IDS and how they work.

IDS  stands for Intrusion Detection System. These are software or tools that help you secure your system and alert you when there is an intrusion. IDS is often part of other security systems or software that comes with the task of protecting information systems.

The most important features of IDS include: monitoring network traffic and suspicious activities; providing warnings about abnormalities to the system and network administrators; combining with firewalls and anti-virus software to create a complete security system.

When reading this, many of you will think that firewalls or anti-virus software are also considered a type of IDS. However, when the scale of the business grows, firewalls or anti-virus software are not enough to protect the entire system from attacks. They are only a very small part of the entire security system.

You need to use IDS as a formal part of your network. IDS can capture the entire system, combined with artificial intelligence and pre-configured configurations to track anomalies in the system, determine when attacks occur, or analyze how attacks occur.

IDS Classification

Now that you understand what an IDS is, you may be wondering how to categorize IDS. There are basically three different types of IDS, or 'parts,' depending on whether you consider them as individual parts or as a system. They include:

Network IDS (NIDS)

Network Node IDS (NNIDS)

Host IDS (HIDS)

At the basic level, network system IDS and network node IDS will focus on network traffic, while host IDS focuses on actions and files on the host.

Network IDS

NIDS are typically placed at vulnerable points in a system. They typically monitor entire subnets and attempt to compare all accesses against a database of attack vectors. NIDS are easy to secure and difficult for attackers to detect. In other words, an attacker will not realize that they have been detected by a NIDS.

However, NIDS analyze a large volume of network traffic, so they sometimes fail to detect attacks as encrypted traffic. In some cases, NIDS require manual action from administrators to ensure proper configuration.

Nod Network IDS

NNIDS also work like NIDS, however they only apply to a single host at a time, not to the entire subnet.

Host IDS

HIDS operates on all devices in the system that are connected to the Internet and all the rest of the enterprise network. Compared to NIDS, HIDS has the ability to monitor internal access more deeply. HIDS can be considered as a second layer of security, against attacks that are not detected by NIDS.

HIDS will examine system-wide files and compare them to previously "captured" "images" to see if there are significant differences (beyond normal business usage), then alert the administrator. 

Compare IDS - IPS - Firewall

When understanding what IDS is, many people will tend to compare IDS with IPS and firewalls. 

Simply put, an IDS is an intrusion detection system, not a "reaction" system to intrusions. An IDS is part of a larger security suite, and an IDS itself is just a monitoring system.

IPS (Intrusion Prevention System) is an Intrusion Prevention System. Thus, IPS includes IDS and a control or response system. IDS cannot regulate intrusions, while IPS has the ability to prevent propagation based on the content of the intrusions.

Both IDS and IPS are data-driven systems that rely on known threats. IDS requires an administrator to review the threats that are alerted, while IPS can block these threats on its own. 

About firewalls . Firewalls are configured to block all access, then you set them to allow certain types of access. Meanwhile, IPS and IDS work in the exact opposite way, allowing all access and alerting/blocking only specific access. So it is best to use firewalls in combination with IPS or IDS.

Main functions of IDS

- IDS allows you to enhance the security of your valuable network devices and network data by monitoring suspicious network traffic and notifying you. Your network needs strong security to protect existing information and network data transmissions both internally and externally. Cyber ​​attacks are becoming more sophisticated and frequent, so it is important to have a comprehensive and effective intrusion detection system.

- Intrusion detection systems help organize important network data . Your network generates tons of information every day through routine activities, and an intrusion detection system can help you differentiate which activities are more important. An intrusion detection system can save you from having to search through thousands of system logs for important information. This can save you time, reduce manual effort, and minimize human error when detecting intrusions.

- Intrusion prevention systems are built to detect, sort, and alert on inbound/outbound network traffic , pinpointing the most important information. By filtering through network traffic, intrusion detection systems can help determine the compliance level of the network and its devices .

- IDS is built to optimize intrusion detection and prevention by filtering through traffic streams. This can save you time, energy, and resources while detecting suspicious activity before it becomes a full-blown threat. IDS also provides greater visibility into network traffic, which can help you combat malicious activity, determine compliance status, and improve overall network performance. The more your IDS captures and understands malicious activity on your network, the more it can adapt to increasingly sophisticated attacks.

IDS Operation

After collecting data, an IDS is designed to observe network traffic and match traffic patterns with known attacks . Through this method (sometimes called pattern correlation), an intrusion prevention system can determine whether unusual activity is a network attack.

Once suspicious or malicious activity is detected, the intrusion detection system sends an alert to designated IT technicians or administrators. IDS alerts allow you to quickly begin troubleshooting and identify the source of the problem or detect and stop malicious actors in their tracks.

Intrusion detection systems mainly use two main intrusion detection methods : signature-based intrusion detection and anomaly-based intrusion detection.

1. Signature-based intrusion detection is designed to detect potential threats by comparing certain network traffic and log data with known attack patterns. These patterns are called sequences (hence the name) and can include byte sequences, known as malicious command sequences. Signature-based detection allows you to accurately detect and identify known attacks.
2. Anomaly-based intrusion detection is the opposite — it is designed to accurately identify unknown attacks, such as new malware, and adapt to them quickly using machine learning. Machine learning techniques allow IDSs to create baselines of reliable activity (called trust models). New behavior is then compared to the verified trust models. False alarms can occur when using anomaly-based IDSs, as previously unknown legitimate network traffic may be misidentified as malicious activity.

Hybrid intrusion detection systems, or IDS , are a combination of signature-based and anomaly-based intrusion detection to increase the scope of your intrusion prevention system. This allows you to identify as many threats as possible. A comprehensive intrusion detection system (IDS) can understand the evasion techniques that cybercriminals use to trick the intrusion prevention system into thinking that there is no attack going on.

Just 5 minutes to understand what is IDS? IDS VS IPS and Firewall Picture 2

Advantages and disadvantages of IDS

When learning about IDS, it is impossible not to mention the advantages and disadvantages of this tool, in order to decide whether to install it or not.

Advantage

- Suitable for collecting data and evidence for investigation and incident response

- Provides a comprehensive, holistic view of the entire network system

- Is a suitable tool for checking problems in network systems.

Disadvantages

- Must be configured properly, otherwise it will cause false alarms.

- Relatively low ability to analyze encrypted traffic

- The cost of developing and operating the system is relatively high.

In addition, when deploying IDS, you need to pay attention to criteria such as: determining IDS technology; determining components; installing safe and suitable configurations for IDS; determining a reasonable location to install IDS; building management and organization mechanisms; preventing false warnings and unnecessary inconveniences from this incident. With the information provided in the article, hopefully you have understood what IDS is, grasped the classification of some types of IDS as well as the strengths and weaknesses of IDS. In today's digital age, equipping an IDS for your business is urgent and practical, to protect your business from potential risks on the system. 

Micah Soto

Update 12 February 2025